[PATCH] MP4 32-bit chunk size buffer overrun fix per the corporatists (CVE-2024-7347 2024-08-14)
skull-squadron
barry.allard at gmail.com
Fri Aug 23 04:19:58 UTC 2024
# HG changeset patch
# User skull-squadron <barry.allard at gmail.com>
# Date 1724385465 18000
# Thu Aug 22 22:57:45 2024 -0500
# Node ID 045b92ed3e5a79153363cdae44278eb149fee6c2
# Parent cf73b65983c2d093f5b6651f8b45b9973a68e9f5
MP4 32-bit chunk size buffer overrun fix per the corporatists (CVE-2024-7347 2024-08-14)
diff -r cf73b65983c2 -r 045b92ed3e5a src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c Tue Aug 13 17:26:33 2024 +0300
+++ b/src/http/modules/ngx_http_mp4_module.c Thu Aug 22 22:57:45 2024 -0500
@@ -3099,7 +3099,8 @@
ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
ngx_http_mp4_trak_t *trak, ngx_uint_t start)
{
- uint32_t start_sample, chunk, samples, id, next_chunk, n,
+ uint64_t n;
+ uint32_t start_sample, chunk, samples, id, next_chunk,
prev_samples;
ngx_buf_t *data, *buf;
ngx_uint_t entries, target_chunk, chunk_samples;
@@ -3155,12 +3156,19 @@
next_chunk = ngx_mp4_get_32value(entry->chunk);
+ if (next_chunk < chunk) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "unordered mp4 stsc chunks in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
"sample:%uD, chunk:%uD, chunks:%uD, "
"samples:%uD, id:%uD",
start_sample, chunk, next_chunk - chunk, samples, id);
- n = (next_chunk - chunk) * samples;
+ n = (uint64_t) (next_chunk - chunk) * samples;
if (start_sample < n) {
goto found;
@@ -3182,7 +3190,7 @@
"sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
start_sample, chunk, next_chunk - chunk, samples);
- n = (next_chunk - chunk) * samples;
+ n = (uint64_t) (next_chunk - chunk) * samples;
if (start_sample > n) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
More information about the nginx-devel
mailing list